[Openid-specs-ab] Issue #119: Tests with HS256 fail with [ERROR] MissingKey:No suitable verification keys found (openid/certification)

Garyl Erickson issues-reply at bitbucket.org
Fri Mar 20 05:14:54 UTC 2015 

New issue 119: Tests with HS256 fail with [ERROR] MissingKey:No suitable verification keys found
https://bitbucket.org/openid/certification/issue/119/tests-with-hs256-fail-with-error

Garyl Erickson:

For example, using dynamic registration, when I run the test "Symmetric ID Token signature with HS256 [Extra] (OP-IDToken-HS256)", the RegistrationRequest, AuthorizationRequest and AccessTokenRequest all appear to succeed, but then I get [ERROR] MissingKey:No suitable verification keys found.

If the test is trying to verify the signature of the id_token, shouldn't it use the returned client_secret? If I enter the id_token and the client_secret into [this website](http://jwt.io/), it tells me the signature is ok.

This is affecting all tests using HS256.


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'code', 'crypto': 'sign', 'registration': 'dynamic'}
Test description: Symmetric ID Token signature with HS256 [Extra]
Test ID: OP-IDToken-HS256
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"application_type":"web","redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=ebab655c-1168-48e9-820d-7e47f51a6cfe","contacts":["roland.hedberg at umu.se"],"scopes":["openid"],"client_secret":"c1b8e883-9cce-4cd4-a891-012aab4c8657","client_type":"Confidential","registration_access_token":"20a17bc8-bcef-40bb-9631-4798ccf2c00c","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1426827757,"client_id":"ebab655c-1168-48e9-820d-7e47f51a6cfe","client_secret_expires_at":0,"response_types":["code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
[-]
	status: ERROR
	info: No suitable verification keys found

Trace output


0.000254 ------------ DiscoveryRequest ------------
0.000267 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000273 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.468443 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
  "check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
  "claims_parameter_supported": false,
  "claims_supported": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS512",
    "RS256",
    "HS384"
  ],
  "issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
  "jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
  "registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_types_supported": [
    "token id_token",
    "code token",
    "code token id_token",
    "token",
    "code id_token",
    "code",
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
  "version": "3.0"
}
0.922443 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "51a5d247-479f-4d47-922a-a9a7138831b7",
      "kty": "RSA",
      "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
      "use": "sig"
    }
  ]
}
0.923775 ------------ RegistrationRequest ------------
0.924188 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.924195 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600, "id_token_signed_response_alg": "HS256"}
0.924204 --> HEADERS: {'Content-type': 'application/json'}
1.359400 <-- STATUS: 201
1.359452 <-- BODY: {"application_type":"web","redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=ebab655c-1168-48e9-820d-7e47f51a6cfe","contacts":["roland.hedberg at umu.se"],"scopes":["openid"],"client_secret":"c1b8e883-9cce-4cd4-a891-012aab4c8657","client_type":"Confidential","registration_access_token":"20a17bc8-bcef-40bb-9631-4798ccf2c00c","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1426827757,"client_id":"ebab655c-1168-48e9-820d-7e47f51a6cfe","client_secret_expires_at":0,"response_types":["code"]}
1.360094 RegistrationResponse: {
  "application_type": "web",
  "client_id": "ebab655c-1168-48e9-820d-7e47f51a6cfe",
  "client_id_issued_at": 1426827757,
  "client_secret": "c1b8e883-9cce-4cd4-a891-012aab4c8657",
  "client_secret_expires_at": 0,
  "client_type": "Confidential",
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "id_token_signed_response_alg": "HS256",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60052/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60052/authz_cb"
  ],
  "registration_access_token": "20a17bc8-bcef-40bb-9631-4798ccf2c00c",
  "registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=ebab655c-1168-48e9-820d-7e47f51a6cfe",
  "response_types": [
    "code"
  ],
  "scopes": [
    "openid"
  ],
  "subject_type": "Public"
}
1.361694 ------------ AuthorizationRequest ------------
1.362079 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?scope=openid&state=V3nbyFwabk0luy6W&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=code&client_id=ebab655c-1168-48e9-820d-7e47f51a6cfe
1.362087 --> BODY: None
8.638283 <-- scope=openid&state=V3nbyFwabk0luy6W&code=a55dc187-62e4-471c-a8be-1ea216c0be38
8.638598 AuthorizationResponse: {
  "code": "a55dc187-62e4-471c-a8be-1ea216c0be38",
  "scope": "openid",
  "state": "V3nbyFwabk0luy6W"
}
8.638939 ------------ AccessTokenRequest ------------
8.639291 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/access_token
8.639297 --> BODY: code=a55dc187-62e4-471c-a8be-1ea216c0be38&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb
8.639308 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic ZWJhYjY1NWMtMTE2OC00OGU5LTgyMGQtN2U0N2Y1MWE2Y2ZlOmMxYjhlODgzLTljY2UtNGNkNC1hODkxLTAxMmFhYjRjODY1Nw=='}
9.280056 <-- STATUS: 200
9.280140 <-- BODY: {"scope":"openid","expires_in":1209599,"token_type":"Bearer","refresh_token":"69cf0c3f-e753-427f-8a98-e64c18c9c3c5","id_token":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiLCAia2lkIjogIjUxYTVkMjQ3LTQ3OWYtNGQ0Ny05MjJhLWE5YTcxMzg4MzFiNyIgfQ.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJlYmFiNjU1Yy0xMTY4LTQ4ZTktODIwZC03ZTQ3ZjUxYTZjZmUiLCAic3ViIjogImFtQWRtaW4iLCAiYXRfaGFzaCI6ICJLbmRrM1dPMmw4aFlQd1BVcmNxSXJnIiwgImlzcyI6ICJodHRwczovL29pZGNwLm9wZW5yb2NrLm9yZzo4MDQzL29wZW5hbS9vYXV0aDIiLCAib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6ICJjNzYxZDhmOS1lN2Y5LTRjMzAtOWM4Yy1jYTViMDRjZjFiOGMiLCAiaWF0IjogMTQyNjgyNzc2NSwgImF1dGhfdGltZSI6IDE0MjY4Mjc3NjUsICJleHAiOiAxNDI2ODI4MzY1LCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgInVwZGF0ZWRfYXQiOiAiMCIsICJyZWFsbSI6ICIvIiwgImF1ZCI6IFsgImViYWI2NTVjLTExNjgtNDhlOS04MjBkLTdlNDdmNTFhNmNmZSIgXSwgImNfaGFzaCI6ICIwbHhjWk9idFM4dFg1LW5McGViUTR3IiB9.lHHAjRl7hEJa2TbnENpvJuKQFUVwqUJ0qY5D6_bpqXQ","access_token":"9db9f884-afac-437a-8abc-d595ba66e573"}
9.739112 [ERROR] MissingKey:No suitable verification keys found

Result
FAILED

Responsible: Rohe

More information about the Openid-specs-ab mailing list